Disabling SSLv3 but still supporting SSLv2Hello in Apache
Solution 1:
Apparently mod_ssl has changed in the last year or so (I haven't found the exact commit to the source, but found the "problem"). The source now does this:
If SSLProtocol only includes only one Protocol:
Handshake = That Protocol's Handshake Only
Else
Handshake = SSLv2 Handshake
There's no override for this setting. The only thing you could do is edit the source, recompile your own version. I've created a diff to force SSLv2 Handshake compatibility if you want to compile your own.
Solution 2:
So it turns out this was a non-issue all along. Apache will accept SSLv2 handshake with either of the configurations I posted above. I was misled by a handshake error into thinking this was the issue; it was really just a configuration issue where the server wasn't trusting the client's CA.